Even though you have a certificate on your site and you’re serving pages with HTTPS, web browsers might still say that your site (or certain pages on it) aren’t secure.
A single web page usually consists of dozens (or even hundreds) of separate files (called assets). These include the basic HTML page itself, but also all the images, audio, video, CSS files, JavaScript files, etc. that are used. If any of those assets isn’t being served over HTTPS, browsers will change how they use that asset. Having any HTTP assets on an HTTPS page is called “mixed content”.
A single web page usually consists of dozens (or even hundreds) of separate files (called assets). These include the basic HTML page itself, but also all the images, audio, video, CSS files, JavaScript files, etc. that are used. If any of those assets isn’t being served over HTTPS, browsers will change how they use that asset. Having any HTTP assets on an HTTPS page is called “mixed content”.
There are two types of mixed content:
Passive mixed content includes images, audio files, video, etc. that could be tampered with over HTTP, but wouldn’t affect the functionality of the underlying page. Browsers generally allow passive mixed content, but they mark the entire page hosting that content as insecure and don’t display a padlock in the address bar.
Active mixed content includes things like scripts, frames, etc. that could be tampered with over HTTP and would affect the functionality of the page, potentially allowing a wide range of malicious behaviors. Browsers generally block active mixed content, which can lead to parts of the page not working correctly.
To identify the contet and fix the issue, I woul recoomned you to try simple tool called https://www.missingpadlock.com/